Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <%doc>
- Main configuration file for Squid daemon
- Parameters:
- snmpEnabled - Boolean indicating if SNMP is enabled or not
- </%doc>
- <%args>
- $port
- $transparent => undef
- $https => undef
- $filter
- $hostfqdn
- $auth
- $principal
- $realm
- $dn
- @rules
- %filterProfiles
- $authModeExternalAD => undef
- $adPrincipal => undef
- $adDC => undef
- $adAclTTL => 3600
- </%args>
- <%shared>
- our $objectPrefix = 'obj~';
- our $groupPrefix = 'grp~';
- our $adPrefix = 'ad~';
- our $timeDaysPrefix = 'timeDays~';
- our $timeHoursPrefix = 'timeHours~';
- our $maxAclNameLength = 31;
- our %longAclNames = ();
- </%shared>
- <%perl>
- sub _timeAclsInPolicy
- {
- my ($policy) = @_;
- my $acls = '';
- if ($policy->{timeDays}) {
- $acls = _aclForDays($policy->{timeDays});
- $acls .= ' ';
- }
- if ($policy->{timeHours}) {
- $acls .= _aclForHours($policy->{timeHours});
- }
- return $acls;
- }
- sub _aclForHours
- {
- my ($hours) = @_;
- return _aclName($timeHoursPrefix . $hours);
- }
- sub _aclForDays
- {
- my ($days) = @_;
- return _aclName($timeDaysPrefix . $days);
- }
- # needed because space scape doesnt work in acl names
- sub _escapeWS
- {
- my ($string) = @_;
- $string =~ s{\s}{~~}g;
- return $string;
- }
- # needed to avoid log acl problems
- sub _aclName
- {
- my ($name) = @_;
- if (length($name) <= $maxAclNameLength) {
- return _escapeWS($name);
- }
- if (not exists $longAclNames{$name}) {
- my $nextId = 1 + keys %longAclNames;
- $nextId = 'longAcl~' . $nextId;
- $longAclNames{$name} = $nextId;
- }
- return _escapeWS($longAclNames{$name});
- }
- sub _printSplitAcl
- {
- my ($acl, $members_r, $membersPerLine) = @_;
- $membersPerLine or $membersPerLine = 10;
- my @members = @{ $members_r };
- while (@members > 0) {
- my @membersInAcl = splice(@members, 0, $membersPerLine);
- $m->print("$acl @membersInAcl\n")
- }
- }
- sub _rulesACLs
- {
- my %args = @_;
- my @rules = @{ $args{rules} };
- my $realm = $args{realm};
- my %seenACL;
- foreach my $rule (@rules) {
- my $object = $rule->{object};
- my $group = $rule->{group};
- my $adDN = $rule->{adDN};
- my ($src, $aclName);
- if ($rule->{any}) {
- # for any object rule, there is not specific acl
- } elsif ($object) {
- $src = $object;
- $aclName = $objectPrefix . $object;
- } elsif ($group) {
- $src = $group;
- $aclName = $groupPrefix . $group;
- } elsif ($adDN) {
- $src = $adDN;
- $aclName = $adPrefix . $adDN;
- } else {
- next;
- }
- if ($aclName) {
- $aclName = _aclName($aclName);
- if ($seenACL{$aclName}) {
- # dont print again the ACL, but we cotinue to be able to get time ACLs
- # which will be different bztime overlapping ACLs are not allowed
- } elsif ($object) {
- my $acl = "acl $aclName src";
- _printSplitAcl($acl, $rule->{addresses});
- } elsif ($group) {
- # escape user names
- my @users = map { $_ =~ s{ }{\\ }g; $_ } @{$rule->{users}};
- if ($realm) {
- @users = map { $_ . '@' . $realm } @users;
- }
- my $acl = "acl $aclName proxy_auth";
- _printSplitAcl($acl, \@users);
- } elsif ($adDN) {
- my $acl = "acl $aclName external InetGroup";
- _printSplitAcl($acl, [ $adDN ]);
- } else {
- next;
- }
- $seenACL{$aclName} = 1;
- }
- if ($rule->{timeDays}) {
- my $aclName = _aclForDays($rule->{timeDays});
- if (not $seenACL{$aclName}) {
- $m->print("acl $aclName time " . $rule->{timeDays} . "\n");
- $seenACL{$aclName}= 1;
- }
- }
- if ($rule->{timeHours}) {
- my $aclName = _aclForHours($rule->{timeHours});
- if (not $seenACL{$aclName}) {
- $m->print("acl $aclName time " . $rule->{timeHours} . "\n");
- $seenACL{$aclName} = 1;
- }
- }
- }
- }
- </%perl>
- <%def .rulesAccess>
- <%args>
- @rules
- %profilesRulesStubs
- </%args>
- % foreach my $rule (@rules) {
- <%perl>
- my $aclName;
- my $object = $rule->{'object'};
- if ($rule->{any}) {
- $aclName = 'all';
- } elsif ($object) {
- $aclName = $objectPrefix . $object;
- }
- my $group = $rule->{'group'};
- if ($group) {
- $aclName = $groupPrefix . $group;
- }
- my $adDN = $rule->{adDN};
- if ($adDN) {
- $aclName = $adPrefix . $adDN;
- }
- my $acl = _aclName($aclName);
- my $timeAcls = _timeAclsInPolicy($rule);
- my $policy = $rule->{'policy'};
- if ($policy eq 'profile') {
- my $rulesStubs = $profilesRulesStubs{$rule->{profile}};
- if (not $rulesStubs) {
- # need to allow, to be able to pass it to DG
- $policy = 'allow';
- } else {
- # expand rules stubs
- my $baseAcls = "$timeAcls $acl ";
- foreach my $stub (@{$rulesStubs }) {
- my $ruleStr = $stub->{type};
- $ruleStr .= ' ' . $stub->{policy};
- $ruleStr .= ' ' . $baseAcls . _aclName($stub->{acl});
- $ruleStr .= "\n";
- # output the rule
- $m->print($ruleStr);
- }
- # dont produce normal rules in this case
- next;
- }
- }
- </%perl>
- http_access <% $policy %> <% $timeAcls %> <% $acl %>
- % }
- </%def>
- % #################################################################################################
- % my $transKey = '';
- % if ($transparent) {
- % $transKey = 'intercept';
- % }
- % my $sslBumpOptions = '';
- % if ($https) {
- % $sslBumpOptions = 'ssl-bump cert=/etc/squid3/self_signed_cert.pem key=/etc/squid3/self_signed_key.pem options=ALL';
- % }
- http_port <% $port %> <% $transKey%> <% $sslBumpOptions %>
- # END_TAG #
- visible_hostname (frontal)<% $hostfqdn %>
- coredump_dir /var/spool/squid3
- cache_effective_user proxy
- cache_effective_group proxy
- access_log /var/log/squid3/access.log squid
- cache_log /var/log/squid3/cache.log
- cache_store_log /var/log/squid3/store.log
- pid_filename /var/run/squid3.pid
- % if ($filter) {
- cache_peer localhost parent 3129 0 no-query no-digest proxy-only login=*:nopassword
- % } else {
- cache_peer localhost parent 3130 0 no-query proxy-only login=*:nopassword
- % }
- % if ($realm) {
- auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -i -s <% $principal %>@<% $realm %>
- auth_param negotiate children 10
- auth_param negotiate keep_alive on
- % } else {
- auth_param basic realm Zentyal HTTP proxy
- auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -b ou=Users,<% $dn %> -u uid -p 390
- % }
- acl_uses_indirect_client on
- acl authorized proxy_auth REQUIRED
- % if ($https) {
- acl SSL_ports port 443 # https, snews
- acl SSL_ports port 873 # rsync
- # ssl-bump options and alllow ssl ports
- always_direct allow SSL_ports
- ssl_bump allow SSL_ports
- % }
- acl from_localhost src 127.0.0.0/8 ::1
- acl to_localhost dst 127.0.0.0/8 ::1
- % foreach my $acl (@{ $filterProfiles{acls} }) {
- % my ($declaration, $name, $params) = split '\s+', $acl, 3;
- % $name = _aclName($name);
- acl <% "$name $params" %>
- % }
- http_access allow to_localhost
- follow_x_forwarded_for allow from_localhost
- forwarded_for on
- log_uses_indirect_client on
- always_direct allow to_localhost
- # force clients to use squid-external
- never_direct allow all
- % if ($authModeExternalAD) {
- ##
- ## Authorization
- ##
- external_acl_type InetGroup ipv4 children=5 ttl=<% $adAclTTL %> %LOGIN /usr/share/zentyal-squid/squid_ldap_group_sid.pl \
- --strip-realm \
- --host "<% $adDC %>" \
- --keytab /etc/squid3/HTTP.keytab \
- --principal <% $adPrincipal %>
- % }
- ##
- ## ACLs from model rules
- ##
- % _rulesACLs(rules => \@rules, realm => $realm );
- ##
- ## Access
- ##
- <& .rulesAccess, rules => \@rules, profilesRulesStubs => $filterProfiles{rulesStubs} &>
- ##
- ## Default policy
- ##
- # All acces denied by default if no other allow rule matchs
- http_access deny all
- # reply access allowed if not denied before
- http_reply_access allow all
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement